CVE-2026-34381 (GCVE-0-2026-34381)
Vulnerability from cvelistv5 – Published: 2026-03-31 20:31 – Updated: 2026-04-01 13:41
VLAI?
Title
Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Summary
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
Severity ?
7.5 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34381",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:40:59.551945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:41:03.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "admidio",
"vendor": "Admidio",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T20:31:23.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
},
{
"name": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf"
}
],
"source": {
"advisory": "GHSA-7fh7-8xqm-3g88",
"discovery": "UNKNOWN"
},
"title": "Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34381",
"datePublished": "2026-03-31T20:31:23.379Z",
"dateReserved": "2026-03-27T13:43:14.370Z",
"dateUpdated": "2026-04-01T13:41:03.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34381\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T21:16:30.013\",\"lastModified\":\"2026-04-01T18:24:07.830\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.0.8\",\"matchCriteriaId\":\"57D165DA-4B63-4140-9E3E-B66F1A9CE955\"}]}]}],\"references\":[{\"url\":\"https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34381\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T13:40:59.551945Z\"}}}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T13:40:52.466Z\"}}], \"cna\": {\"title\": \"Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess\", \"source\": {\"advisory\": \"GHSA-7fh7-8xqm-3g88\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Admidio\", \"product\": \"admidio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.0.8\"}]}], \"references\": [{\"url\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88\", \"name\": \"https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf\", \"name\": \"https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T20:31:23.379Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34381\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T13:41:03.359Z\", \"dateReserved\": \"2026-03-27T13:43:14.370Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T20:31:23.379Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-7FH7-8XQM-3G88
Vulnerability from github – Published: 2026-03-31 23:10 – Updated: 2026-03-31 23:10
VLAI?
Summary
Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Details
Summary
Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the
documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON.
Root Cause
File 1: Intended protection (ignored):
adm_my_files/.htaccess
Require all denied
File 2: Apache config that neutralizes it:
- Command in order to search in Docker container:
docker exec admidio-sec-app cat /etc/apache2/apache2.conf
/etc/apache2/apache2.conf (Docker image)
<Directory ${APACHE_DOCUMENT_ROOT}>
AllowOverride None
</Directory>
AllowOverride None instructs Apache to skip .htaccess processing entirely, the deny rule never executes. The upload directory is inside the web root at /opt/app-root/src/adm_my_files/ and returns HTTP 200 for direct requests.
File 3: Upload response leaks the direct URL: system/file_upload.php, upload response JSON:
{
"files": [{
"name": "sensitive_poc.txt",
"url": "http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt"
}]
}
Verified PoC
Step 1: Admin creates a restricted folder (visible only to Administrator role):
modules/documents-files.php→ permissions set to roleAdministratoronly.
Step 2: Admin uploads a file to the restricted folder.
Upload response returns:
http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt
Step 3: Unauthenticated request retrieves the file:
curl -X GET 'http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt'
# Response: full file contents — no authentication required
Step 4: Confirm folder is role-restricted:
SELECT fil_name, fol_name, fol_public FROM adm_files JOIN adm_folders ON fil_fol_id = fol_id
ORDER BY fil_id DESC LIMIT 5; -- fol_public = 0, role restricted — yet file is publicly accessible
Impact
- Any document uploaded to Admidio including files restricted to specific roles is publicly accessible via direct HTTP request with no authentication required
- Role-based access control on the documents module is completely bypassed at the filesystem level
- Sensitive organizational documents (contracts, member data, financial records) are exposed to anyone who can guess or construct the file path
- The upload API response discloses the direct URL to the uploader, making path enumeration trivial
Recommended Fix
Option 1 (preferred): Enable AllowOverride in Apache config:
<Directory /opt/app-root/src/adm_my_files>
AllowOverride All
</Directory>
Option 2: Move uploads outside the web root:
Store uploaded files in a directory outside DOCUMENT_ROOT and serve them exclusively through Admidio's download handler (modules/documents-files.php?mode=download), which enforces role checks before serving the file.
Option 3: Apache-level explicit deny (does not require .htaccess):
<Directory /opt/app-root/src/adm_my_files>
Require all denied
</Directory>
The most robust long-term fix is Option 2 — moving uploads outside the web root eliminates the dependency on Apache configuration correctness entirely.
Reported by: Juan Felipe Oz @JF0x0r
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34381"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:10:03Z",
"nvd_published_at": "2026-03-31T21:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAdmidio relies on `adm_my_files/.htaccess` to deny direct HTTP access to uploaded documents. The Docker image ships with `AllowOverride None` in the Apache configuration, which causes Apache to silently ignore all `.htaccess` files. As a result, any file uploaded to the\ndocuments module regardless of the _role-based_ permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON.\n\n---\n\n### Root Cause\n\n**File 1: Intended protection (ignored):** \n`adm_my_files/.htaccess`\n```apache\nRequire all denied\n```\n\u003cimg width=\"408\" height=\"403\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/95f0d389-a1a9-4dc4-9840-7f189d2c58ff\" /\u003e\n\n**File 2: Apache config that neutralizes it:** \n\n* Command in order to search in Docker container: `docker exec admidio-sec-app cat /etc/apache2/apache2.conf`\n\n`/etc/apache2/apache2.conf` (Docker image)\n```apache\n\u003cDirectory ${APACHE_DOCUMENT_ROOT}\u003e\n AllowOverride None\n\u003c/Directory\u003e\n```\n\n\u003cimg width=\"492\" height=\"328\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/2f2e09b1-0c2e-4932-8698-a40f6b92e917\" /\u003e\n\n\n`AllowOverride None` instructs Apache to skip `.htaccess` processing entirely, the deny rule never executes. The upload directory is inside the web root at `/opt/app-root/src/adm_my_files/` and returns **HTTP 200** for direct requests.\n\n**File 3: Upload response leaks the direct URL:** `system/file_upload.php`, upload response JSON:\n\n\u003cimg width=\"1528\" height=\"624\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/50e66fde-ff41-4efa-adc9-ceeb5b23a97d\" /\u003e\n\n```json\n{\n \"files\": [{\n \"name\": \"sensitive_poc.txt\",\n \"url\": \"http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\"\n }]\n}\n```\n\n### Verified PoC\n\n**Step 1: Admin creates a restricted folder (visible only to Administrator role):** \n\u003e `modules/documents-files.php` \u2192 permissions set to role `Administrator` only.\n\n\u003cimg width=\"1161\" height=\"784\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/25d81e44-9a7c-4991-b72e-6e664d176695\" /\u003e\n\n**Step 2: Admin uploads a file to the restricted folder.** \n\u003e Upload response returns:\n```\nhttp://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\n```\n\n\u003cimg width=\"1239\" height=\"294\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/84c1bcd1-47d7-4115-ac0f-653b0a6d7301\" /\u003e\n\n**Step 3: Unauthenticated request retrieves the file:**\n```bash\ncurl -X GET \u0027http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\u0027\n# Response: full file contents \u2014 no authentication required\n```\n\n\u003cimg width=\"1051\" height=\"150\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/1ed7fab7-59cb-4d5b-8c60-12108490d1e4\" /\u003e\n\n**Step 4: Confirm folder is role-restricted:**\n```sql\nSELECT fil_name, fol_name, fol_public FROM adm_files JOIN adm_folders ON fil_fol_id = fol_id \nORDER BY fil_id DESC LIMIT 5; -- fol_public = 0, role restricted \u2014 yet file is publicly accessible\n```\n---\n\n### Impact\n\n- Any document uploaded to **Admidio** including files restricted to specific roles is publicly accessible via direct HTTP request with no authentication required\n- **Role-based** access control on the documents module is completely bypassed at the filesystem level\n- Sensitive organizational documents (contracts, member data, financial records) are exposed to anyone who can guess or construct the file path\n- The upload API response discloses the direct URL to the uploader, making path enumeration trivial\n\n### Recommended Fix\n\n**Option 1 (preferred): Enable AllowOverride in Apache config:**\n```apache\n\u003cDirectory /opt/app-root/src/adm_my_files\u003e\n AllowOverride All\n\u003c/Directory\u003e\n```\n\n**Option 2: Move uploads outside the web root:** \nStore uploaded files in a directory outside `DOCUMENT_ROOT` and serve them exclusively through Admidio\u0027s download handler (`modules/documents-files.php?mode=download`), which enforces role checks before serving the file.\n\n**Option 3: Apache-level explicit deny (does not require .htaccess):**\n```apache\n\u003cDirectory /opt/app-root/src/adm_my_files\u003e\n Require all denied\n\u003c/Directory\u003e\n```\n\u003e The most robust long-term fix is Option 2 \u2014 moving uploads outside the web root eliminates the dependency on Apache configuration correctness entirely.\n\n**Reported by:** Juan Felipe Oz [@JF0x0r](https://x.com/PwnedRar_)\n\u003e [LinkedIn](https://www.linkedin.com/in/juanfelipeoz/)",
"id": "GHSA-7fh7-8xqm-3g88",
"modified": "2026-03-31T23:10:03Z",
"published": "2026-03-31T23:10:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34381"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess"
}
FKIE_CVE-2026-34381
Vulnerability from fkie_nvd - Published: 2026-03-31 21:16 - Updated: 2026-04-01 18:24
Severity ?
Summary
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf | Patch | |
| security-advisories@github.com | https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88 | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88 | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57D165DA-4B63-4140-9E3E-B66F1A9CE955",
"versionEndExcluding": "5.0.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON. This issue has been patched in version 5.0.8."
}
],
"id": "CVE-2026-34381",
"lastModified": "2026-04-01T18:24:07.830",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-31T21:16:30.013",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…